91探花

Search within:

Information Security Awareness & Training Standard

Purpose

This standard outlines the responsibilities of university units in ensuring that their staff are appropriately trained to maintain compliance with regulations that protect sensitive data. 

Scope

This standard applies to all 91探花 faculty, staff, student employees, and any third-party affiliates who require access to sensitive university data.

Standard

91探花 is required to protect the confidentiality, integrity, and availability of its data, and as such relies on its employees to be good data stewards and custodians. It is the responsibility of each department to ensure that their staff are appropriately trained in information security best practices for the type of data they process, store, transmit, or access. The department must select the training their staff requires based on data classification and all relevant regulations. For example, some regulations, such as HIPAA and PCI-DSS, require annual information security training to maintain compliance. 

The Office of Information Technology makes available general information security training to faculty, staff, and student employees. Training can be accessed by visiting /oit/security/it-security-training.This training is very broad and intended to be a foundation on which to build more specific skills in accordance with the classification of data a unit processes, stores, transmits, or accesses. On its own, this training does not meet the requirements set out by regulations such as HIPAA and PCI-DSS, therefore it is recommended this training be taken in addition to other specific regulatory compliance coursework.

Departments requesting guidance in identifying appropriate training for their staff may contact the data owner for that sensitive data element.       

FERPAContact the University Registrar

HIPAAContact the HIPAA Chief Privacy Officer

PCI-DSSContact the Office of the Bursar

Other sensitive dataContact the Information Security Office

References

  1. NIST 800 Series Publications
  2. Policy 93.001 Data Classification

Governance

This standard will be reviewed and approved by the university Information Security Office as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups: 

  • Information Technology: Ed Carter (Chair) 

  • Human Resources: Michael Courtney 

  • Faculty: Hans Kruse 

  • Senior Associate Dean: Brian McCarthy 

  • Finance and Administration: Julie Allison

  • Faculty: Shawn Ostermann 

  • Regional Higher Education: Larry Tumblin 

  • Research and Sponsored Programs: Susan Robb

  • Risk Management & Insurance: Larry Wines 

History

Draft versions of this policy were circulated for review and approved August 3, 2023. This policy was re-reviewed and approved on November 2, 2023.